* [PATCH v1 1/1] Define security policy in SECURITY.md file for repository
2023-03-09 19:43 [PATCH v1 0/1] Define security policy in SECURITY.md file for repository Kun Qin
@ 2023-03-09 19:43 ` Kun Qin
2023-03-28 12:15 ` [edk2-devel] " Rebecca Cran
2023-03-28 0:26 ` [PATCH v1 0/1] " Demeter, Miki
2023-04-05 18:07 ` Leif Lindholm
2 siblings, 1 reply; 6+ messages in thread
From: Kun Qin @ 2023-03-09 19:43 UTC (permalink / raw)
To: devel; +Cc: Sean Brogan
From: Sean Brogan <sean.brogan@microsoft.com>
Create SECURITY.md security policy for tianocore edk2 leveraging CVD and
the Github Private Vulnerability Reporting process.
Co-authored-by: Sean Brogan <sean.brogan@microsoft.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
---
SECURITY.md | 33 ++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..bef046e91aa1
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product.
+We build and maintain edk2 knowing that there are many downstream repositories and projects that derive or inherit significant code from this project.
+But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows
+flexibility for use without contribution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2.
+
+## Supported Versions
+
+Due to the usage model we generally only supply fixes to the master branch. If requested we may generate a release branch from a stable
+tag and apply patches but given our downstream consumption model this is generally not necessary.
+
+## Reporting a Vulnerability
+
+Please do not report security vulnerabilities through public GitHub issues or bugzilla.
+
+Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository.
+This process is well documented by github in their documentation
+[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure.
+More information is available here:
+
+* [ISO/IEC 29147:2018 on Vulnerability Disclosure](https://www.iso.org/standard/72311.html)
+* [The CERT Guide to Coordinated Vulnerability Disclosure](https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf)
--
2.37.1.windows.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [edk2-devel] [PATCH v1 1/1] Define security policy in SECURITY.md file for repository
2023-03-09 19:43 ` [PATCH v1 1/1] " Kun Qin
@ 2023-03-28 12:15 ` Rebecca Cran
0 siblings, 0 replies; 6+ messages in thread
From: Rebecca Cran @ 2023-03-28 12:15 UTC (permalink / raw)
To: devel, kuqin12; +Cc: Sean Brogan
Reviewed-by: Rebecca Cran <rebecca@bsdio.com>
On 3/9/23 12:43 PM, Kun Qin wrote:
> From: Sean Brogan <sean.brogan@microsoft.com>
>
> Create SECURITY.md security policy for tianocore edk2 leveraging CVD and
> the Github Private Vulnerability Reporting process.
>
> Co-authored-by: Sean Brogan <sean.brogan@microsoft.com>
> Signed-off-by: Kun Qin <kun.qin@microsoft.com>
> ---
> SECURITY.md | 33 ++++++++++++++++++++
> 1 file changed, 33 insertions(+)
>
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 000000000000..bef046e91aa1
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,33 @@
> +# Security Policy
> +
> +Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product.
> +We build and maintain edk2 knowing that there are many downstream repositories and projects that derive or inherit significant code from this project.
> +But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows
> +flexibility for use without contribution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2.
> +
> +## Supported Versions
> +
> +Due to the usage model we generally only supply fixes to the master branch. If requested we may generate a release branch from a stable
> +tag and apply patches but given our downstream consumption model this is generally not necessary.
> +
> +## Reporting a Vulnerability
> +
> +Please do not report security vulnerabilities through public GitHub issues or bugzilla.
> +
> +Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository.
> +This process is well documented by github in their documentation
> +[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
> +
> +This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
> +
> +## Preferred Languages
> +
> +We prefer all communications to be in English.
> +
> +## Policy
> +
> +Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure.
> +More information is available here:
> +
> +* [ISO/IEC 29147:2018 on Vulnerability Disclosure](https://www.iso.org/standard/72311.html)
> +* [The CERT Guide to Coordinated Vulnerability Disclosure](https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1 0/1] Define security policy in SECURITY.md file for repository
2023-03-09 19:43 [PATCH v1 0/1] Define security policy in SECURITY.md file for repository Kun Qin
2023-03-09 19:43 ` [PATCH v1 1/1] " Kun Qin
@ 2023-03-28 0:26 ` Demeter, Miki
2023-03-28 16:50 ` [edk2-devel] " Kevin@Insyde
2023-04-05 18:07 ` Leif Lindholm
2 siblings, 1 reply; 6+ messages in thread
From: Demeter, Miki @ 2023-03-28 0:26 UTC (permalink / raw)
To: Kun Qin, devel@edk2.groups.io
Cc: Andrew Fish, Leif Lindholm, Kinney, Michael D, Sean Brogan
[-- Attachment #1: Type: text/plain, Size: 1452 bytes --]
Ack
Need to get this acked by others in infosec too
--
Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
FST
Intel Corporation
Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon
NIA-Oregon<https://intel.sharepoint.com/sites/NIA>
Portland Women in Tech Best Speaker
miki.demeter@intel.com<mailto:miki.demeter@intel.com>
503.712.8030 (office)
971.248.0123 (cell)
From: Kun Qin <kuqin12@gmail.com>
Date: Thursday, March 9, 2023 at 1:44 PM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Andrew Fish <afish@apple.com>, Leif Lindholm <quic_llindhol@quicinc.com>, Kinney, Michael D <michael.d.kinney@intel.com>, Demeter, Miki <miki.demeter@intel.com>, Sean Brogan <sean.brogan@microsoft.com>
Subject: [PATCH v1 0/1] Define security policy in SECURITY.md file for repository
This change added a markdown file as a policy guideline for Tianocore EDK2
community to handle security sensitive reports.
Patch v1 branch: https://github.com/kuqin12/edk2/tree/patch-1
Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Miki Demeter <miki.demeter@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Sean Brogan (1):
Define security policy in SECURITY.md file for repository
SECURITY.md | 33 ++++++++++++++++++++
1 file changed, 33 insertions(+)
create mode 100644 SECURITY.md
--
2.37.1.windows.1
[-- Attachment #2: Type: text/html, Size: 6398 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] [PATCH v1 0/1] Define security policy in SECURITY.md file for repository
2023-03-28 0:26 ` [PATCH v1 0/1] " Demeter, Miki
@ 2023-03-28 16:50 ` Kevin@Insyde
0 siblings, 0 replies; 6+ messages in thread
From: Kevin@Insyde @ 2023-03-28 16:50 UTC (permalink / raw)
To: devel@edk2.groups.io, miki.demeter@intel.com
Cc: Kun Qin, Andrew Fish, Leif Lindholm, Kinney, Michael D,
Sean Brogan
[-- Attachment #1.1: Type: text/html, Size: 6799 bytes --]
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 2199 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1 0/1] Define security policy in SECURITY.md file for repository
2023-03-09 19:43 [PATCH v1 0/1] Define security policy in SECURITY.md file for repository Kun Qin
2023-03-09 19:43 ` [PATCH v1 1/1] " Kun Qin
2023-03-28 0:26 ` [PATCH v1 0/1] " Demeter, Miki
@ 2023-04-05 18:07 ` Leif Lindholm
2 siblings, 0 replies; 6+ messages in thread
From: Leif Lindholm @ 2023-04-05 18:07 UTC (permalink / raw)
To: Kun Qin, devel; +Cc: Andrew Fish, Michael D Kinney, Miki Demeter, Sean Brogan
On 2023-03-09 19:43, Kun Qin wrote:
> This change added a markdown file as a policy guideline for Tianocore EDK2
> community to handle security sensitive reports.
>
> Patch v1 branch: https://github.com/kuqin12/edk2/tree/patch-1
>
> Cc: Andrew Fish <afish@apple.com>
> Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Miki Demeter <miki.demeter@intel.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
>
> Sean Brogan (1):
> Define security policy in SECURITY.md file for repository
>
> SECURITY.md | 33 ++++++++++++++++++++
> 1 file changed, 33 insertions(+)
> create mode 100644 SECURITY.md
Nitpick: edk2 is alternaltingly capitalised or not in the readme.
But
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
^ permalink raw reply [flat|nested] 6+ messages in thread